CVE-2026-5071
SocketCAN Buffer Length Validation Flaw Leads to Out-of-Bounds Read
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: Zephyr Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zephyrproject | zephyr | From 4.3 (inc) |
| zephyrproject | zephyr | From 4.2 (inc) |
| zephyrproject | zephyr | From 3.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-5071 vulnerability affects the Zephyr RTOS SocketCAN implementation. It occurs because the code only uses an assertion (NET_ASSERT) to check the length of a user-provided buffer containing a socketcan_frame object before processing it. In production builds, where assertions are disabled, this validation is skipped. As a result, a local user can supply an incomplete or truncated frame, causing the system to read beyond the end of the buffer.
This out-of-bounds read can lead to denial-of-service crashes or leak adjacent memory since the parsed frame contents are transmitted on the network.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local attacker to cause denial-of-service (DoS) crashes in the system running the Zephyr RTOS SocketCAN implementation.
Additionally, because the parsed frame contents are transmitted on the network, it can lead to leakage of adjacent memory, potentially exposing sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5071 vulnerability, it is recommended to apply patches that replace the assertion (NET_ASSERT) with explicit runtime checks in the zcan_sendto_ctx function. This ensures the buffer length is properly validated before processing, preventing out-of-bounds memory reads.
Specifically, patches are available for Zephyr RTOS versions 4.3, 4.2, and 3.7. Applying these patches will fix the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Zephyr RTOS SocketCAN implementation can lead to out-of-bounds memory reads and potential data exfiltration due to improper validation of user-provided buffer lengths.
Such data leakage could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding sensitive information against unauthorized access or disclosure.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a local denial of service caused by sending an incomplete or truncated socketcan_frame buffer to the sendto syscall in the Zephyr RTOS SocketCAN implementation.
Detection on your system would involve monitoring for abnormal crashes or denial-of-service symptoms related to SocketCAN operations, especially those involving sendto calls with socketcan_frame data.
Since the issue arises from malformed frames sent locally, you can attempt to detect it by crafting and sending incomplete or truncated socketcan_frame buffers using tools that allow raw socket CAN frame manipulation.
Example commands to test or detect the vulnerability might include using a custom script or tool to send truncated CAN frames via the sendto syscall to the SocketCAN interface. However, no specific commands or detection scripts are provided in the available resources.